Understanding Door Configuration

This chapter describes the concepts used to configure doors and templates.

A door configuration is a collection of devices, such as locks and readers, connected to a Cisco Physical Access Gateway and configured in Cisco PAM. To configure a door, add a Gateway to Cisco PAM and then assign one or more door configurations to the Gateway using the pre-defined door templates. Door configuration templates include common sets of devices and configurations to simplify access control configuration. Gateways and the associated doors can be configured either before or after the Gateway is added to the network.

Provisioned (Pre-Populated) Configuration

A Provisioned configuration occurs when a Gateway configuration is entered in Cisco PAM before the module is brought online. If the Gateway serial number matches the existing Cisco PAM configuration when the module is added to the network, Cisco PAM automatically downloads the existing configuration to the module.

•If the Gateway connects to Cisco PAM and does not have a configuration (such as after a hard reset), the latest configuration applied to that Gateway is downloaded.

Discovered Configuration

A Discovered configuration occurs when a Gateway is added to the network and no Cisco PAM configuration exists. Cisco PAM automatically creates a new entry based on the module serial number and the serial numbers of any attached expansion modules.

The Gateway is assigned a name based on "gw_" and the serial number. For example, if the Gateway serial number is FHH112900XX, the name of the discovered Gateway configuration in Cisco PAM will be gw_FHH112900XX.

Note The serial number for each Gateway and expansion module is unique and cannot be changed. In a Discovered configuration, the serial numbers are automatically sent from the module to the Cisco PAM appliance over the IP network. If the serial number for the Gateway or an attached expansion module already exists in the Cisco PAM configuration, the Gateway is not added.

Viewing Device and Door Configuration

A door configuration is a collection of devices, such as locks and readers, connected to a Cisco Physical Access Gateway and configured in Cisco PAM. To configure a door, add a Gateway to Cisco PAM and then assign one or more door configurations to the Gateway using pre-defined door templates. Door configuration templates include common sets of devices and configurations to simplify access control configuration.

Once the Gateways and door configurations are added to Cisco PAM, you can view the configurations in a device view that lists the Gateways, expansion modules, and interfaces, or in a Locations view, that displays the door configurations in a hierarchical location map.

Viewing Doors and Devices in the Hardware View

The Device view in the Hardware module displays a list of configured Gateways, expansion modules, and other devices in a hierarchical tree, as shown in Figure 5-1.

To open the device view, select Hardware from the Doors menu. In the Hardware window, select Device from the View menu. Gateways are listed by name and represented by a blue icon, as shown in Figure 5-1. Click the box next to the icon to expand the hierarchical tree and view the expansion modules and other devices associated with the Gateway.

Figure 5-1 Expanded Hardware Tree: Gateways and Related Devices

Note Some devices, such as tamper inputs, fire sensors, and cameras, are not part of door configurations.

Tip The names of all hardware tree elements are editable, including Drivers, Gateways, expansion modules, and door devices.

Read-only. A site is a single instance of a Cisco PAM database. It generally, but does not necessarily, correspond with a single geographical location, such as a building complex, building, or part of a building. Most installations of Cisco PAM only have a single database, and hence a single site. Multiple sites are used in larger configurations, such as a company with offices in distant locations that have a Cisco PAM database at each office.

2

Driver Manager

Read-only. The Driver Manager enables Cisco PAM hardware and software drivers, such as the gateway Driver or the EDI Driver. The Driver Manager cannot be deleted.

3

Access GW Driver

The Access GW Driver allows you to add Cisco Physical Access Gateway hardware modules to the system configuration, and supports the additional expansion modules (Reader, Input and Output) connected to a Gateway. The Access GW Driver also manages the events and alarms generated by devices, modules, and Gateways. The Access GW Driver is enabled by default.

Note The Access Gateway Driver is an example of a Device Driver. Device Drivers enable software and hardware functionality. Additional Device Drivers include the Logical Driver, Automation Driver, EDI Driver, and Cisco VSM Driver. Each of these drivers enables the functionality for that feature, and provides basic configuration settings. There can only be one instance of each driver.

4

Gateway Controller

A Gateway controller is added for each Gateway device. The modules and devices configured on the Gateway are listed below the Gateway Controller and include the Gateway module, any expansion modules and the other devices attached to the module interfaces. Figure 5-1 shows an example Hardware tree with the Gateway Controllers, expansion modules and other devices.

To add a Gateway module to the configuration, right-click on the Access GW Driver and select New Gateway Controller.

5

Access Control Modules

Modules include the Gateway, Reader, Input and Output modules. Each configured module is listed under the Gateway Controller, including the Gateway module itself.

Note The Gateway module is displayed by default. Expansion modules are displayed only if added to the configuration. For information and instructions to install modules, see the Cisco Physical Access Gateway User Guide. For instructions to configure modules, see Chapter 6, "Configuring Doors".

6

Module Interface

Each module includes a set of interfaces for connecting door hardware and other devices. For descriptions of each module interface, see the Cisco Physical Access Gateway User Guide.

Viewing Doors and Devices by Location

Since Gateways and related equipment are installed for specific locations, you can view door configurations in a hierarchical location map, as shown in Figure 5-2. This map is available in both the Hardware module and the Locations & Doors module of the Doors menu.

The location map represents doors as they are organized in the real world. For example, if an organization has a campus in Bangalore, and another in San Jose, you can create a hierarchical map for each site, and assign the door configurations to a campus, building, floor, area, or sub-area. You can name the locations as needed, and place the doors at any level of the location hierarchy.

Figure 5-2 shows the location view in the Hardware module. Select Hierarchical Location in the View menu to display the map. Although you can modify the door configurations from this view, you cannot change the location map. See Creating the Location Map for more information.

Figure 5-2 Hierarchical Location View of Hardware Devices

1

View Menu

5

Floor

2

Base

6

Area

3

Campus

7

Sub-Area

4

Building

8

Door

Tip•Door configurations can be assigned to any level of the hierarchical map.

•You can drag-and-drop Gateways and Doors from one location to another.

Creating the Location Map

To create or modify the location map for door configurations, select Locations & Doors from the Doors menu. This map is also displayed in the Hierarchical Location view of the Hardware module, as described in Viewing Doors and Devices by Location.

Figure 5-3 shows a sample location map. You can use any combination of map elements, such as campus, building, and floor.

Use the following methods to create and modify the location map.

•To create a new base, click the Add Base button in the toolbar menu.

•To create a sub-location, right-click a location and select New [Element].

•To change the properties for an element, right-click a location and select Edit.

You can create any combination of location elements and door configurations can be assigned to any level of the hierarchical tree. For example, if a building has only one entrance, you can assign the door configuration at the building level. For larger sites with multiple doors, you may need to assign a door configuration to a specific floor or area within the building.

Figure 5-3 Locations & Doors: Main Window

Note Hierarchical locations cannot be deleted. Door and Gateway names must be unique.

1Unassigned includes Doors and Devices that are not assigned to a location.

Filtering the Devices Displayed in the Locations View

Use the View menu to select the devices or doors displayed in the Location & Doors window. For example, select Gateway Controllers to display only the Gateway Controllers in their assigned location (Figure 5-4).

Figure 5-4 Locations & Doors: View Menu

To execute a command for all the devices or doors in a location, right-click the location and select a command.

Example

In the following example, the password is changed for all Gateways installed in a location:

Step 3 Select Reset Gateway Password. The passwords are reset for all Gateways assigned to that location.

Changing the Location of a Device or Door

To change the location of a door or device (including Gateways, input and output devices) from one location to another, you can drag and drop the items in the location map, or or edit the configuration, as described in the following steps.

Procedure

Step 1 Select Hardware or Locations & Doors from the Doors menu.

•Locations & Doors: Select a device or door from the View menu.

•Hardware: Select Hierarchical Location from the View menu.

Step 2 Expand the location tree to view the device or door.

Step 3 Change the location for the device or door:

•Drag and drop the device or door icon to a new location, and click Yes when the confirmation message appears.

or

•Select the device or door and click Edit. In the Edit window, select the Location tab and choose a new Hierarchical Location from the drop-down menu, as shown in Figure 5-5. You can also click the Choose button to select a location from the location map.

Figure 5-5 Editng the Location for a Door or Device

Viewing Device and Door Status

To view the status for a door or device use on of the options described in this section:

Generating a System Sanity Report

System sanity reports provide information about potential system inconsistencies. For example, it includes a summary of doors that are administratively Down, devices and doors that are disabled, and other information. Sanity reports can be viewed online, or saved to your computer in a variety of formats.

Overview

Configuring an access control system for a large number of doors can be complex and time consuming. For example, if an organization has 500 doors, each door may include a different set of devices and access control rules. Some doors may include only a lock, a reader, and a REX (request to exit) device, while other doors may also include sensors and cameras. Lobby doors may need to be unlocked during business hours, while others should remain locked and require badge access at all hours. If the requirements for a door or set of doors changes, the settings must be manually entered and tracked for each door.

To manage this complexity, Cisco Physical Access Manager supports door and device templates. Templates allow you to create standard configurations that can be applied to groups of doors.

For example, if all the lobby doors in your organization use a similar set of equipment and access control rules, and all lab doors use a different set of devices and configurations, you can create one door template for lobby doors, and another for lab doors. To create a door configuration, just assign the pre-defined door template to a Gateway.

Since a door configuration references a door template, all template settings or changes to those settings are reflected by the door. You can easily override most template settings for a single door by deselecting the Default checkbox next to each field and entering a custom value. The current door setting is changed, but the template and the other doors that reference that template are unaffected.

Using templates, a campus that includes 500 doors can be categorized into 10 different door categories (such as lobby, lab, records, etc.). With Cisco PAM you create 10 different door templates instead of 500 individual door configurations. You also have full flexibility to change settings for a single door, or groups of doors.

Sequence for Configuring Templates and Doors

Figure 5-18 outlines the main tasks to create templates and apply them to door configurations.

Door Configurations and Templates

Door configurations are sets of device hardware assigned to a Gateway. Door configurations usually include the following devices:

•Lock: Used to lock the door.

•Rex: REX is an abbreviation for request to exit. A REX is a type of door hardware, typically a button that allows people to exit through an access point without using a badge. Push button type REX can automatically relock the door immediately or after a delayed time interval. REX devices also include non-push button devices.

•Reader: A device used to read a user's card credentials.

•Door Sensor: A device that senses if the door is open or closed.

•Deadbolt: An additional lock used for added security.

•Door Swing: A device used to open the door with a mechanical arm or other mechanism.

•Adding Gateways and Doors Using Templates, page 6-2: this method uses a step-by-step script that prompts you to add a Gateway to the system, create one or more door configurations, and assign a door template to each door. This is the quickest way to add a completely new set of hardware to the system.

Template Types

There are five different types of templates. Each template is as a building block to provide pre-defined configurations for the next level.

•Gateway Templates: defines basic attributes of the Gateway module such as the time zone, support for one or two doors, the attached expansion modules, and the door templates assigned to the Gateway. Changes to a Gateway template do not impact configured Gateways (only new Gateway configurations).

Impact of Template Changes on Configured Doors and Devices

•Changes to a Gateway template do not impact configured Gateways. Only new Gateway configurations include the new settings. Gateway templates assist in new configurations only.

•Door configurations are impacted whenever the template settings for that door are changed, unless you enter a custom setting for that door.

•Changes to a door or device configuration, including changes to a template, do not take effect until the configuration is applied to the effected Gateways. See Applying Configuration Changes, page 6-17 for more information.

•Each template type includes a set of default templates. Most attributes for these default templates cannot be changed in the template. They can only be changed for an individual device. Only user-created templates can be modified.

Understanding Device Templates

Device templates operate on the same concept as door templates, allowing you to create common configurations for devices, such as locks and readers.

For example, a typical access control solution might use one or two types of locks in multiple locations, with each lock type using a similar configuration. Or, the locks may use different configurations in different locations. In either case, instead of creating separate configurations for every lock in the system, you can create a device template for each type of lock that uses a similar configuration.

Device templates are applied to a specific Gateway interface, or used to define the devices in door templates. If a device requires a different configuration, you can easily override the settings for a specific device without effecting the other devices or the template.

Tip Cisco PAM includes sample templates, or you can create new templates. There is no limit to the number of templates in a system.

Changes to a door configuration or device, including changes to a template, do not take effect until the configuration is downloaded to the effected Gateways. See Applying Configuration Changes, page 6-17 for more information.

Related Documentation

Understanding Credential Templates

When an access control card is presented to a reader, the reader reads a set of bits. The reader needs to know how to interpret the bits, how to validate the data, and how to extract relevant card information. Credential Templates specify the card data format for a reader, and are used to configure reader device templates.

The data specification include the following:

•Card data fields and data range

•Parity bits and their bit position for data validation

•Marker bits and their bit positions/range using sentinels

Each credential template has Primary and Secondary Data fields to determine how the card data is extracted.

Understanding Reader LED Profiles

Use the Reader LED module to create settings for LED lights on the reader interface of a Gateway or Reader module. The profiles are applied to reader interfaces in the Hardware module, or to door templates. See Configuring Reader LED Profiles, page 7-21 for more information.

Understanding Door Modes, Door Schedules, and the First Unlock Feature

Overview

Each door configuration has a default mode that defines if the door is locked, unlocked, secured, or left open. The door remains in this mode at all times unless you configure an optional schedule to define exceptions to the default mode. For example, if the default mode for a door is Lock, and you define a door schedule that automatically unlocks the door between 8 am and 5 pm. (Close), then the door will be locked at all hours except 8 am to 5 pm.

In addition, the First Unlock feature ensures that the door schedule (and associated mode) is activated only if a user successfully swipes a badge to access the door. This is useful in situations such as a snow day, when employees may not be able to reach work. The door is not automatically unlocked unless a badge holder is physically present.

To configure door modes and door schedules, use the door Properties window shown in Figure 5-19.

•The Door enable schedule: specifies a door schedule for the times and days when a different door mode is applied. If you select a schedule, the schedule will override the default mode for the times and days defined in the schedule. See Understanding the Scheduled Door Mode.

•Scheduled door mode: the mode used when the door scheduled is applied.

•First unlock. determines if the schedule is activated only after the first successful badge swipe. The door remains in default mode until a badge is used to access the door, even after the beginning time for the schedule. See Understanding First Unlock Impact on the Scheduled Mode

A Scheduled mode overrides the default mode for the days and hours in a door schedule. For example, if the default mode is Lock, you can create a door schedule to change the mode to Close during normal business hours. The door will be locked at all times except 8 am to 5 pm, when it is physically closed but unlocked. See Understanding the Scheduled Door Mode

The Override mode occurs when you manually change the door mode using a door command. The Override door commands are:

•Set Door Mode Lock

•Set Door Mode Open

•Set Door Mode Secure

•Reset Door Mode (removes the override and restores the default or scheduled mode)

Viewing the Door Mode Status

The door mode is displayed in the Extended Status pane when you select a door in the Hardware or Locations & Doors module. In the example shown in Figure 5-20, a door's Default mode is Open and the Current mode is Close (Scheduled). This means that the door is currently in the scheduled mode of Close, but when the schedule ends, the door will return to the default mode of Open.

Understanding the Default Door Mode

The default door mode is the state of the door at all times, except when an optional schedule is applied. For example, if the default mode is Lock, the door is physically closed and the lock is applied at all times. You can override the Default door mode using a door schedule, or by selecting a door command.

Understanding the Scheduled Door Mode

Door schedules define exceptions to the default door mode during specific days and times. For example, if the default door mode is Secure, the door will be in secure mode at all times except during the days and hours defined by a door schedule. To create and apply a door schedule, do the following:

1. Create the schedule using the Schedule Manager.

2. Select the schedule in the door Properties window using the Door Enable Schedule menu.

3. Select the door mode used during the schedule using the Scheduled door mode menu.

Door schedules change the door mode at the days and times included in the schedule. If a door is set to open every workday at 8 am, the door opens even if it is a holiday and no one is physically present. See Understanding First Unlock Impact on the Scheduled Mode to avoid this situation.

Understanding First Unlock Impact on the Scheduled Mode

First Unlock ensures that the door schedule (and associated mode) is activated only if a user successfully swipes a badge to access the door. This is useful in situations such as a snow day, when employees may not be able to reach work. The door is not automatically unlocked unless a badge holder is physically present. When the door is accessed with a valid badge, the door schedule is activated and the Scheduled Door Mode is applied. See Example: Configuring the Default and Scheduled Door Modes for instructions to apply the First Unlock option.

Door Mode Changes and First Unlock

A badge is required to activate the door schedule (and associated mode) anytime the door mode is reset, after the Gateway is reset, or after a power failure to the Gateway.

Applying First Unlock

The First Unlock feature is applied immediately when a door configuration is changed. For example, if a Cisco PAM administrator changes a door configuration at 10 am to include First Unlock, the change is applied immediately and the door returns to Default mode until accessed with a badge to activate the scheduled mode.

For additional information on operating doors that are configured with First Unlock, see the following:

Manually Override the Door Mode Using Commands

When the door mode is manually changed using a door command, the current mode is displayed as Override. Door remain in the Override mode until another door command is selected, or the Gateway is reset.

For example, in Figure 5-21 the current mode is Close (Scheduled). Right click the door and select Set Door Mode Lock. The current mode is changed to Lock (Override), as shown in Figure 5-22.

Figure 5-21 Selecting a Door Mode Command

The current mode remains Lock (Override) until you do one of the following:

•Select another door mode command. For example, Set Door Mode Open.

•Select the Reset Door Mode command to remove the override and restore the configured default and scheduled modes. If a door schedule is configured, and the time is within the schedule, the door enters the scheduled mode immediately (however, if First Unlock is configured, the scheduled mode is not activated until the door is accessed with a badge).

For example, in Figure 5-22 the current door mode is Lock (Override). The door stays in the override mode until you select another door mode or reset the Gateway. In this example, the Reset Door Mode command is selected, which returns the door to the scheduled mode. However, since the First Unlock feature is configured, the door stays in Default mode (Open) until the door is accessed with a valid badge.

The Gateway is reset using the Reset Gateway command, or when the Gateway power is turned off and on.

Example 1

•The default door mode is Lock (physically closed and locked).

•The scheduled door mode from 8 am to noon is Close (physically closed and unlocked).

•First Unlock is set to Yes.

If power to the Gateway goes off and comes back on at 9 am (during the scheduled mode), the Gateway is reset. Since First Unlock is configured, and the door returns to the default state (Lock) until a badge is swiped to reactive the scheduled door mode (Close).

Example 2

•The default door mode is Lock (physically closed and locked).

•The scheduled door mode from 8 am to 5 pm is Close (physically closed and unlocked).

While the guard is away, another use invokes the Reset Gateway command in Cisco PAM. Since the First Unlock feature is not configured, the scheduled mode is immediately applied and the door is placed in Close (physically closed and unlocked). The door is now unlocked even thought he guard is absent.

Example: Configuring the Default and Scheduled Door Modes

In the following example, a door schedule is created for a lobby door. The door should be physically closed but unlocked and open to the public during normal working hours, from 8 am to 5 pm. However, the door should be also be locked from 12 noon until 1 pm when the receptionist is at lunch.

Since this location occasionally suffers snow storms that close roads and delay traffic, we want to keep the door locked in the morning until the receptionist (or another employee) arrives and accesses the door with a badge, even if they arrive after the scheduled unlock time of 8 am. (the door should not automatically unlock for public access at 8 am, even if there is no employee on-site). This First Unlock rule is also applied to the lunch hour, so the door remains locked at 1 pm until the receptionist or another badge holder physically accessed the door.

Note The following sample schedule does not include exceptions for holidays or other special cases. For complete instructions to configure door schedules, see Using the Schedule Manager, page 9-7.

To do this

Use this display

Step 1

Create a schedule for the door.

Note Create door schedules that define the times the door is not in default mode.

a. Select Schedules from the Doors menu, in the Schedule Manager sub-menu.

The following example places the door in Lock mode at all times, except for Monday to Friday, 8 am to 12 pm, and 1 pm to 5 pm, when the door is in Close mode.

Tip To override the default template settings, uncheck the box in the right column to activate the field.

a. For Default mode, select Lock. The door is physically closed and the lock applied at all hours by default. A badge is required for access.

b. For Door enable schedule, select 8-5, minus lunch. This is the schedule created in Step 1.

c. For Scheduled door mode, select Close. The door is physically closed during the door schedule hours, but the lock is not applied.

d. For First Unlock, select Yes. The door remains in Lock mode in the morning and after lunch break until a badge holder physically swipes their badge to activate the schedule and place the door in Close mode.

e. Click Save and Close to save the changes.

Step 4

Apply the door configuration changes.

Right-click a location or Gateway and select Apply Configuration Changes.

Note Gateways must be in the Up state, signified by a green triangle in the icon. A dark green triangle means configuration changes that have not been applied.